RE: [nc-transfer] EPP Authorization Information and Domain Transfers

["Cade,Marilyn S - LGA" <mcade@att.com>]

Scott, I welcome this submission.

I think this is worth further discussion. I don't know if you envision co-existence of the two? However, I wonder whether also, some registrants might comment on whether registrant management has limitations due to the reality that many registrants are extremely ... could I suggest, forgetful?  I don't know enough at this point about what you are envisioning and believe some further dialogue with the TF will be helpful to us. I've asked Ross Rader if he can coordinate with you toward such a dialogue.

-----Original Message-----
From: Hollenbeck, Scott [mailto:shollenbeck@verisign.com]
Sent: Tuesday, October 29, 2002 4:16 AM
To: 'nc-transfer@dnso.org'
Subject: [nc-transfer] EPP Authorization Information and Domain
Transfers


During today's transfer task force presentation in Shanghai I noted the
description of EPP authorization information (called "authorization codes"
during the presentation) with interest.  As the author of EPP I'd like to
suggest an alternative to the method of sharing authorization information
with registrants as described during the presentation [1] and as currently
practiced by some registrars:

When I originally envisioned the authorization information concept, I
believed it would be most useful if a registrant provided the registrar with
their desired authorization information as part of the process of managing
the registration of a domain name.  That is, when a name is registered the
authorization information (typically a password) would be provided by the
registrant as part of the registration process and passed through the
registrar to the registry.  If forgotten, the authorization information
could be retrieved for the registrant from the registry through the
registrar.  The registrant would thus possess the authorization information
at all times, and nothing would need to be collected from the registrar to
facilitate a transfer.

EPP does not require a registrar to solicit authorization information from a
registrant, nor does it require the registrar to create authorization
information for registrants to be returned when requested.  The specific
method of generating authorization information is a matter of registry and
registrar business practice, with the protocol being flexible enough to
support different business practices.

Anyway, to cut to the chase I'd like to simply suggest that the task force
consider that there is at least one other way to use authorization
information to facilitate domain name transfers.  Registrar management of
authorization information is one option.  Registrant management of
authorization information is another.

Scott Hollenbeck
VeriSign Global Registry Services

[1]
"Registrars must provide Registrants with authorization codes (where
applicable) within 72 hours."